Zoom Video Calls Using Adaptive Telehealth’s Self-Hosted Service Are HIPAA-Compliant
To make Zoom HIPAA-compliant, all Adaptive Telehealth Zoom video calls originate from the Adaptive Telehealth self-hosted version of Zoom when they originate from within Adaptive Telehealth.
The security configuration is unique to Adaptive Telehealth
Adaptive Telehealth worked with Zoom many years ago to modify the Zoom software on the Adaptive Telehealth HIPAA-compliant servers. We modified the receiving code at Zoom corporate office for the Adaptive Telehealth account. This is so that Zoom could still receive usage reports, but without also receiving electronic Protected Health Information (ePHI). With these modifications, no ePHI is sent to Zoom from Meeting Connector on Adaptive Telehealth servers. This took many months of development.show more
Our verification of this security came through packet sniffing to trace internet transmissions. We also made patient support calls to Zoom asking for assistance. We were told that they cannot help us because they cannot view our identity (our desired result). Adaptive Telehealth patients are supported through Adaptive Telehealth directly or by the customer if they choose.
Note that we do permit the sending of the IP and user identity of the provider to Zoom because this is not ePHI. These users can be supported by Zoom directly if they wish or through Adaptive Telehealth support.
This explanation is not meant to disparage Zoom. We like Zoom. Rather, it is important to know the extensive work Adaptive Telehealth has done to keep Protected Health Information from Zoom, Zoom’s marketing partners like Facebook, Google, or any other third party that do not have a Business Associate Agreement (BAA) with our customer.show less
Adaptive Telehealth Takes HIPAA Compliance Very Seriously
There is a lot of confusion in the marketplace about HIPAA compliance and telehealth software. Technically speaking, the software cannot be HIPAA compliant because the software itself is not a “Covered Entity”. A covered entity is a person or an organization. When software states they are “HIPAA Compliant”, they are most often referencing their encryption of data and their willingness to sign a BAA.
HIPAA compliance involves much more than encryption and a BAA. It is a comprehensive program of administrative, physical and technological controls (encryption is just one). These controls mentioned work together to protect the electronic Protected Health Information (PHI) under the Final HIPAA Omnibus Rule.
Adaptive Telehealth goes beyond what many other software companies do to comply with HIPAA security. Our HIPAA security is headed by Jay Ostrowski, a HIPAA compliance expert. Jay has created training in HIPAA compliance for telemental health for SAMHSA, HRSA, the Telehealth Resources Centers, NBCC and CCE.
If you are in need of assistance with the provider side of HIPAA-compliance, we are available to assist you. Please contact us here.
Here are some of HIPAA security measures of Adaptive Telehealth:
- Data Center Entry: Dual-factor authentication In order to enter the data center, a person must have:
- Prior authorization from management
- Be on the approval list
- Have the approved access code
- Two forms of personal identification; and
- Their identity confirmed using the biometric fingerprint scanner.
- Visitor logging and auditing – The entries in the logbook must directly match the video surveillance tapes. An independent audit confirms the match of visitor logs with the video archives.
- Video surveillance – Video logs kept for 90 days.
- Procedure Documentation – Documentation for the procedure to allow access by unannounced visit, phone call, or email.
- Annually, the data center undergoes a HIPAA audit by a 3rd party entity. The data center has passed with a 100% compliance rating. Audits are performed using the OCR Audit Protocol.
- Annual Risk Assessment
- Annual data center HIPAA audit by a 3rd party (passed with a 100% compliance rating).
- Audits are performed using the OCR Audit Protocol.
- Assigned Security Responsibility via corporate privacy officer
- Required annual HIPAA staff training
- Corporate information access management policies and procedures
- Security incident procedures and Breach Notification Plan
- Contingency data access plan
- Regular risk evaluation, risk mitigation plans, and monitoring processes
- Business Associate Agreement with contracted users
- Disaster preparedness and disaster response
All electronic Private Health Information (ePHI) is protected by several means including:
- Access Control – Unique user identification, emergency access procedure,
- Automated log out after 10 minutes of inactivity.
- Centralized logging; OS change management and patch management
- IPS/IDS Protection
- 256-bit encryption in-transit and integrity controls
- Data encryption at rest
- Password requirement: 8 digits, symbol, upper case, lower case, and number
- Automatic logoff after 10 minutes of inactivity
- Audit controls
- Antivirus and anti-malware
- OS patch and change management
- Dedicated HIPAA-compliant Firewall
- Web application firewall
- Dual factor VPN for root access
- Daily Offsite backup
- Daily file-level backup with 14-day retention to an alternate data center of the same type and security protections
- Back up data: Encryption at-rest and 256-bit encryption in-transit to a backup site